Author: jra Date: 2005-09-09 01:10:40 +0000 (Fri, 09 Sep 2005) New Revision: 10098
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10098 Log: Convert domain join to new style. Jeremy Modified: branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c Changeset: Modified: branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c =================================================================== --- branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c 2005-09-09 00:42:18 UTC (rev 10097) +++ branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c 2005-09-09 01:10:40 UTC (rev 10098) @@ -45,6 +45,7 @@ { struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; + int retval = 1; NTSTATUS ret; /* Connect to remote machine */ @@ -87,7 +88,10 @@ struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; uint32 sec_channel_type; + struct rpc_pipe_client *pipe_hnd = NULL; + struct rpc_pipe_client *netlogon_schannel_pipe = NULL; /* rpc variables */ @@ -135,7 +139,7 @@ #endif } - /* Connect to remote machine */ + /* Make authenticated connection to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) return 1; @@ -147,38 +151,41 @@ /* Fetch domain sid */ - if (!cli_nt_session_open(cli, PI_LSARPC)) { - DEBUG(0, ("Error connecting to LSA pipe\n")); + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result); + if (!pipe_hnd) { + DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n", + nt_errstr(result) )); goto done; } - CHECK_RPC_ERR(cli_lsa_open_policy(cli, mem_ctx, True, + CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True, SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol), "error opening lsa policy handle"); - CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol, + CHECK_RPC_ERR(rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol, 5, &domain, &domain_sid), "error querying info policy"); - cli_lsa_close(cli, mem_ctx, &lsa_pol); + rpccli_lsa_close(pipe_hnd, mem_ctx, &lsa_pol); + cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ - cli_nt_session_close(cli); /* Done with this pipe */ - /* Create domain user */ - if (!cli_nt_session_open(cli, PI_SAMR)) { - DEBUG(0, ("Error connecting to SAM pipe\n")); + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result); + if (!pipe_hnd) { + DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n", + nt_errstr(result) )); goto done; } - CHECK_RPC_ERR(cli_samr_connect(cli, mem_ctx, + CHECK_RPC_ERR(rpccli_samr_connect(pipe_hnd, mem_ctx, SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol), "could not connect to SAM database"); - CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol, + CHECK_RPC_ERR(rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, domain_sid, &domain_pol), "could not open domain"); @@ -188,7 +195,7 @@ strlower_m(acct_name); const_acct_name = acct_name; - result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, + result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, acb_info, 0xe005000b, &user_pol, &user_rid); @@ -209,10 +216,11 @@ /* We *must* do this.... don't ask... */ - if (NT_STATUS_IS_OK(result)) - cli_samr_close(cli, mem_ctx, &user_pol); + if (NT_STATUS_IS_OK(result)) { + rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + } - CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx, + CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx, &domain_pol, flags, 1, &const_acct_name, &num_rids, @@ -230,7 +238,7 @@ /* Open handle on user */ CHECK_RPC_ERR_DEBUG( - cli_samr_open_user(cli, mem_ctx, &domain_pol, + rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol), ("could not re-open existing user %s: %s\n", @@ -257,7 +265,7 @@ ctr.switch_value = 24; ctr.info.id24 = &p24; - CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, + CHECK_RPC_ERR(rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 24, &cli->user_session_key, &ctr), "error setting trust account password"); @@ -279,26 +287,52 @@ /* Ignoring the return value is necessary for joining a domain as a normal user with "Add workstation to domain" privilege. */ - result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 16, + result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, &cli->user_session_key, &ctr); + rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ + /* Now check the whole process from top-to-bottom */ - cli_samr_close(cli, mem_ctx, &user_pol); - cli_nt_session_close(cli); /* Done with this pipe */ - if (!cli_nt_session_open(cli, PI_NETLOGON)) { - DEBUG(0,("Error connecting to NETLOGON pipe\n")); + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result); + if (!pipe_hnd) { + DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", + nt_errstr(result) )); goto done; } - /* ensure that schannel uses the right domain */ - fstrcpy(cli->domain, domain); + result = rpccli_netlogon_setup_creds(pipe_hnd, + cli->desthost, + domain, + global_myname(), + md4_trust_password, + sec_channel_type, + &neg_flags); - result = cli_nt_establish_netlogon(cli, sec_channel_type, - md4_trust_password); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0, ("Error in domain join verification (credential setup failed): %s\n\n", + nt_errstr(result))); + if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && + (sec_channel_type == SEC_CHAN_BDC) ) { + d_printf("Please make sure that no computer account\n" + "named like this machine (%s) exists in the domain\n", + global_myname()); + } + + goto done; + } + + netlogon_schannel_pipe = cli_rpc_pipe_open_schannel_with_key(cli, + PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, + domain, + pipe_hnd->dc, + &result); + if (!NT_STATUS_IS_OK(result)) { - DEBUG(0, ("Error domain join verification (reused connection): %s\n\n", + DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n", nt_errstr(result))); if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && @@ -311,6 +345,9 @@ goto done; } + cli_rpc_pipe_close(pipe_hnd); + cli_rpc_pipe_close(netlogon_schannel_pipe); + /* Now store the secret in the secrets database */ strupper_m(domain); @@ -328,11 +365,7 @@ retval = net_rpc_join_ok(domain); done: - /* Close down pipe - this will clean up open policy handles */ - if (cli->pipes[cli->pipe_idx].fnum) - cli_nt_session_close(cli); - /* Display success or failure */ if (retval != 0) { @@ -348,7 +381,6 @@ return retval; } - /** * check that a join is OK *
